Yet Another Chinese-Based Targeted Malware Attack

MalwareCity's Bogdan Botezatu reports of a recently discovered targeted attack that uses the escalation in tensions with Iran as an enticement for victims to open a tainted Word document.

"The latest targeted attack comes in the form of a browser exploitation spread through a Word (.doc) document bundled with spam mail. The English-language document - titled "Iran's Oil and Nuclear Situation.doc" - bets on user curiosity over political tension between the West and Iran," the article states.

Given that the malicious emails were not distributed via bulk spamming networks, Botezatu believes the attack may be specifically aimed at infecting U.S. government and military personnel.

"This is clearly a targeted attack – it may aim at US military staff involved in Iranian military operations. The malware has not been delivered by mass spam and has not shown up in honeypots, or e-mail addresses used by the antivirus industry to attract and catch malware," Botezatu reports.

The malware utilizes multiple layers of obfuscation, according to Botezatu, and will have already infected the target device before network defenses have the chance to scan and mitigate the attack.

"The document contains a Shockwave Flash applet that tries to load a video file (.mp4) from hxxp://208.1xx.23x.76/test.mp4. This MP4 file isn’t your regular YouTube video. It has been crafted to include a valid header so it can legitimately identify itself as MP4, but the rest of the file is filled with 0x0C values. When the file loads and the Flash Player tries to render the MP4, it triggers an exploit in the Adobe Flash plugin (CVE-2012-0754), that ultimately drops an executable file embedded in the initial .doc," Botezatu explains.

Adding to the threat of infection is the fact that most of the commercial antivirus software solutions have yet to identify the malware strain, leaving the majority of devices target susceptible to infection.

"The payload is also an advanced persistent threat - extremely difficult to detect once inside the network. Although it’s more than a week old, the backdoor still has poor detection, with only 7 of 42 antivirus solutions able to detect it," Botezatu said.

Analysis of the attack's IP addresses and the location of the command and control (C&C) servers indicates that the origin of the attack is most likely China.

"This dropped file is stored in the temporary folder and executed. It is a 4.63 MB file that mimics the Java Updater application and appears to originate from China. It... connects to C&C servers hosting many other Chinese websites," the article states.

Many security experts point out the difficulty involved in accurate attribution. Proxies, routing tricks, compromised machines, and spoofed IP addresses can be easily coordinated to give the appearance that an attack is originating far from the actual source.

In many cases, it is nearly impossible to clearly determine the origin of an attack, and even more difficult to ascertain if the event was state-sponsored or instigated by individual actors. It also raises serious questions as to what the appropriate response would then be.

"Activities attributed to state sponsored operators often appear to target data that is not easily monetized in underground criminal online auctions or markets but highly valuable to foreign governments. Highly technical defense engineering information, operational military data, or government policy analysis documents rarely if ever appear to be a priority for cybercriminal groups," the Northrop Grumman report noted.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.